[cas-user] Re: Overriding Problems with cas.properties
Notice that the cas.properties used is the one that it's located at /etc/cas/config (c:/etc/cas/config at windows environments). The script copies your project configuration to that folder before building the web app (target generation). El jueves, 15 de febrero de 2018, 16:05:28 (UTC+1), Kevin Liu escribió: > > Hello, > > It is my understanding that cas.properties should override whatever > properties are in WEB-INF/classes application.properties. Is this correct? > > If so, I'm having trouble overriding > "cas.authn.accept.users=casuser::Mellon". With a blank value in > cas.properties and "cas.authn.accept.users=casuser::Mellon" in > application.properties, I'm still getting status authentication warning. > > It seems as if changing values in cas.properties don't have an effect, > only when I change the values in application.properties. > > The only thing I did differently is instead of pointing to > /etc/cas/config, I have it pointing to /etc/cas1/config (this is due to > allow multiple cas instances on the same box). Can I not do this? > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/675c8f27-a5b7-40cc-847d-34b186cf3c81%40apereo.org.
Re: [cas-user] CAS 5.2.1 report failed authentications as AUTHENTICATION_SUCCESS
I have tested right now the new version and it seems to fail. This issue
should be re-opened at the github project
El lunes, 29 de enero de 2018, 15:34:54 (UTC+1), Ben Howell-Thomas escribió:
>
> Thankyou :)
>
> On 23 January 2018 at 16:27, Oscar del Pozo <oscard...@gmail.com
> > wrote:
>
>> Hi,
>>
>> I've made a pull request solving this issue:
>> https://github.com/apereo/inspektr/pull/10. It has been already approved.
>>
>> El viernes, 19 de enero de 2018, 16:47:02 (UTC+1), Ben Howell-Thomas
>> escribió:
>>>
>>> Might have solved it.
>>>
>>> To confirm what Mohsen said, seems fine in 5.2.0.
>>>
>>> Between 5.2.0 and 5.2.1 the inspektrVersion goes up from 1.7.0 to
>>> 1.7.1.GA.
>>>
>>> Between them, ah - I think I may have found it -
>>> org.apereo.inspektr.audit.AuditTrailManagementAspect changes line 141
>>> from :
>>>
>>> } catch (final Exception e) {
>>>
>>>
>>> to
>>>
>>> } catch (final Throwable e) {
>>>
>>>
>>> I think I remember reading that polymorphism type things are worked out
>>> at compile time. If it's treating the AuthenticationException as a
>>> Throwable then that's not an Exception (since Exception is a sub-class of
>>> Throwable) but it is an Object, hence it calls the
>>> org.apereo.inspektr.audit.spi.support.DefaultAuditActionResolver.resolveFrom
>>>
>>> method that uses the Object parameter and is therefore considered a success.
>>>
>>> This looks like a side effect of this commit to Inspektr:
>>>
>>>>
>>>> Commit: a51eefbc0fe6619bb651b91a99f44bb6d262e744 [a51eefb]
>>>> Parents: 8a07750485, 0cdde58bcc
>>>> Author: Misagh Moayyed <mmoa...@unicon.net>
>>>> Date: 06 March 2017 16:17:35
>>>> Committer: GitHub <nor...@github.com>
>>>> Merge pull request #8 from vvidovic/cherry-pick
>>>> Fix: auditing on Erorr (not only Exception)
>>>
>>>
>>> @Misagh/Apereo/everyone - Hope that's been helpful. I'm sorry but I
>>> haven't got time to submit a patch (partly because upgrading to 5.2 has
>>> taken so long ;). If it's not something anyone's likely to pick up I could
>>> maybe look at it next week.
>>>
>>> blessings,
>>>
>>> Ben
>>>
>>> On 19 January 2018 at 14:52, Jeffrey Ramsay <jeffrey...@gmail.com>
>>> wrote:
>>>
>>>> How are you getting these statements in your logs? I can produce them
>>>> since upgrading to 5.1 and it was used for our Splunk system.
>>>>
>>>> >>> level="info" additivity="false" includeLocation="true">
>>>>
>>>>
>>>>
>>>>
>>>> -Jeff
>>>>
>>>> On Thu, Jan 11, 2018 at 2:35 AM, Mohsen Ebrahimi <ebrah...@of.iut.ac.ir
>>>> > wrote:
>>>>
>>>>> Hello
>>>>>
>>>>> It works fine in 5.2. I think it's a bug.
>>>>>
>>>>> Thank you
>>>>>
>>>>>
>>>>> 2018-01-11 02:18:15,693 WARN
>>>>> [org.apereo.cas.authentication.LdapAuthenticationHandler] - >>>> resolution
>>>>> failed. [DN cannot be null]>
>>>>> 2018-01-11 02:18:15,694 ERROR
>>>>> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
>>>>> >>>> find
>>>>> authentication handler that supports [wronguser] of type
>>>>> [UsernamePasswordCredential].>
>>>>> 2018-01-11 02:18:15,697 INFO
>>>>> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -
>>>>> >>>> trail record BEGIN
>>>>> =
>>>>> WHO: wronguser
>>>>> WHAT: Supplied credentials: [wronguser]
>>>>> ACTION: AUTHENTICATION_SUCCESS
>>>>> APPLICATION: CAS
>>>>> WHEN: Thu Jan 11 02:18:15 EST 2018
>>>>>
>>>>> --
>>>>> - Website: https://apereo.github.io/cas
>>>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>>>> - List Guidelines: https://goo.gl/1VRrw7
>>>>> - Contributions: https://goo.gl/mh7qDG
>>>>> ---
>>>>>
[cas-user] Re: CAS 5.2.1 - Error loading ShibbolethAttributeResolverConfiguration
OK, I think I have a workaround. I excluded the ShibbolethAttributeResolverConfiguration adding to my application.yml the following > spring: > autoconfigure: exclude: > org.apereo.cas.config.ShibbolethAttributeResolverConfiguration Then, I make my own AttributeResolverConfiguration class (a copy of ShibbolethAttributeResolverConfiguration) where I set a dependency with OpenSamlConfigBean to ensure that that bean is loaded before my config bean and, finally, I added my new bean to spring.factories file. Anyway, I think that the ShibbolethAttributeResolverConfiguration should include the dependency with the samlConfigBean, shouldn't it? El viernes, 26 de enero de 2018, 14:14:47 (UTC+1), Oscar del Pozo escribió: > > Hi! > > I'm trying to configure CAS to act as an identity provider. I have > configured my service, metadata, etc... but I'm having troubles with my > attribute-resolver.xml and it seems to be a problem with the bean > initialization order. > > The problem is creating the bean attributeRepository > at ShibbolethAttributeResolverConfiguration > (cas-server-support-shibboleth-attributes dependency, following the > https://apereo.github.io/cas/5.2.x/integration/Attribute-Resolution.html#shibboleth > > doc) > > When the Bean is being created an exception is thrown because > the XMLObjectProviderRegistry has not been initialized yet (it is > initialized with OpenSamlConfigBean). Here the exception: > > 2018-01-26 14:05:01,616 WARN >> [net.shibboleth.ext.spring.context.FilesystemGenericApplicationContext] - >> > attempt: org.springframework.beans.factory.BeanCreationException: Error >> creating bean with name >> 'net.shibboleth.idp.saml.attribute.encoding.impl.SAML2StringAttributeEncoder#0': >> >> Instantiation of bean failed; nested exception is >> org.springframework.beans.BeanInstantiationException: Failed to instantiate >> [net.shibboleth.idp.saml.attribute.encoding.impl.SAML2StringAttributeEncoder]: >> >> Constructor threw exception; nested exception is >> java.lang.NullPointerException> >> 2018-01-26 14:05:05,615 WARN >> [org.apereo.cas.config.ShibbolethAttributeResolverConfiguration] - > creating bean with name >> 'net.shibboleth.idp.saml.attribute.encoding.impl.SAML2StringAttributeEncoder#0': >> >> Instantiation of bean failed; nested exception is >> org.springframework.beans.BeanInstantiationException: Failed to instantiate >> [net.shibboleth.idp.saml.attribute.encoding.impl.SAML2StringAttributeEncoder]: >> >> Constructor threw exception; nested exception is >> java.lang.NullPointerException> >> org.springframework.beans.factory.BeanCreationException: Error creating >> bean with name >> 'net.shibboleth.idp.saml.attribute.encoding.impl.SAML2StringAttributeEncoder#0': >> >> Instantiation of bean failed; nested exception is >> org.springframework.beans.BeanInstantiationException: Failed to instantiate >> [net.shibboleth.idp.saml.attribute.encoding.impl.SAML2StringAttributeEncoder]: >> >> Constructor threw exception; nested exception is >> java.lang.NullPointerException >> at >> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateBean(AbstractAutowireCapableBeanFactory.java:1155) >> >> ~[spring-beans-4.3.12.RELEASE.jar:4.3.12.RELEASE] >> [...] >> Caused by: org.springframework.beans.BeanInstantiationException: Failed >> to instantiate >> [net.shibboleth.idp.saml.attribute.encoding.impl.SAML2StringAttributeEncoder]: >> >> Constructor threw exception; nested exception is >> java.lang.NullPointerException >> at >> org.springframework.beans.BeanUtils.instantiateClass(BeanUtils.java:154) >> ~[spring-beans-4.3.12.RELEASE.jar:4.3.12.RELEASE] >> at >> org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:89) >> >> ~[spring-beans-4.3.12.RELEASE.jar:4.3.12.RELEASE] >> at >> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateBean(AbstractAutowireCapableBeanFactory.java:1147) >> >> ~[spring-beans-4.3.12.RELEASE.jar:4.3.12.RELEASE] >> ... 108 more >> Caused by: java.lang.NullPointerException >> at >> org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport.getBuilderFactory(XMLObjectProviderRegistrySupport.java:107) >> >> ~[opensaml-core-3.3.0.jar:?] >> at >> net.shibboleth.idp.saml.attribute.encoding.AbstractSAML2AttributeEncoder.(AbstractSAML2AttributeEncoder.java:61) >> >> ~[idp-saml-api-3.3.1.jar:?] >
[cas-user] CAS 5.2.1 - Error loading ShibbolethAttributeResolverConfiguration
Hi!
I'm trying to configure CAS to act as an identity provider. I have
configured my service, metadata, etc... but I'm having troubles with my
attribute-resolver.xml and it seems to be a problem with the bean
initialization order.
The problem is creating the bean attributeRepository
at ShibbolethAttributeResolverConfiguration
(cas-server-support-shibboleth-attributes dependency, following the
https://apereo.github.io/cas/5.2.x/integration/Attribute-Resolution.html#shibboleth
doc)
When the Bean is being created an exception is thrown because
the XMLObjectProviderRegistry has not been initialized yet (it is
initialized with OpenSamlConfigBean). Here the exception:
2018-01-26 14:05:01,616 WARN
> [net.shibboleth.ext.spring.context.FilesystemGenericApplicationContext] -
> attempt: org.springframework.beans.factory.BeanCreationException: Error
> creating bean with name
> 'net.shibboleth.idp.saml.attribute.encoding.impl.SAML2StringAttributeEncoder#0':
>
> Instantiation of bean failed; nested exception is
> org.springframework.beans.BeanInstantiationException: Failed to instantiate
> [net.shibboleth.idp.saml.attribute.encoding.impl.SAML2StringAttributeEncoder]:
>
> Constructor threw exception; nested exception is
> java.lang.NullPointerException>
> 2018-01-26 14:05:05,615 WARN
> [org.apereo.cas.config.ShibbolethAttributeResolverConfiguration] - creating bean with name
> 'net.shibboleth.idp.saml.attribute.encoding.impl.SAML2StringAttributeEncoder#0':
>
> Instantiation of bean failed; nested exception is
> org.springframework.beans.BeanInstantiationException: Failed to instantiate
> [net.shibboleth.idp.saml.attribute.encoding.impl.SAML2StringAttributeEncoder]:
>
> Constructor threw exception; nested exception is
> java.lang.NullPointerException>
> org.springframework.beans.factory.BeanCreationException: Error creating
> bean with name
> 'net.shibboleth.idp.saml.attribute.encoding.impl.SAML2StringAttributeEncoder#0':
>
> Instantiation of bean failed; nested exception is
> org.springframework.beans.BeanInstantiationException: Failed to instantiate
> [net.shibboleth.idp.saml.attribute.encoding.impl.SAML2StringAttributeEncoder]:
>
> Constructor threw exception; nested exception is
> java.lang.NullPointerException
> at
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateBean(AbstractAutowireCapableBeanFactory.java:1155)
>
> ~[spring-beans-4.3.12.RELEASE.jar:4.3.12.RELEASE]
> [...]
> Caused by: org.springframework.beans.BeanInstantiationException: Failed to
> instantiate
> [net.shibboleth.idp.saml.attribute.encoding.impl.SAML2StringAttributeEncoder]:
>
> Constructor threw exception; nested exception is
> java.lang.NullPointerException
> at
> org.springframework.beans.BeanUtils.instantiateClass(BeanUtils.java:154)
> ~[spring-beans-4.3.12.RELEASE.jar:4.3.12.RELEASE]
> at
> org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:89)
>
> ~[spring-beans-4.3.12.RELEASE.jar:4.3.12.RELEASE]
> at
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateBean(AbstractAutowireCapableBeanFactory.java:1147)
>
> ~[spring-beans-4.3.12.RELEASE.jar:4.3.12.RELEASE]
> ... 108 more
> Caused by: java.lang.NullPointerException
> at
> org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport.getBuilderFactory(XMLObjectProviderRegistrySupport.java:107)
>
> ~[opensaml-core-3.3.0.jar:?]
> at
> net.shibboleth.idp.saml.attribute.encoding.AbstractSAML2AttributeEncoder.(AbstractSAML2AttributeEncoder.java:61)
>
> ~[idp-saml-api-3.3.1.jar:?]
The NPE point:
public static XMLObjectBuilderFactory getBuilderFactory() {
return *ConfigurationService.get(XMLObjectProviderRegistry.class)*
.getBuilderFactory();
}
My configuration:
cas.properties
> cas.authn.samlIdp.entityId=entityId
> cas.authn.samlIdp.hostName=HOST
> cas.authn.samlIdp.scope=HOST
> cas.authn.samlIdp.metadata.cacheExpirationMinutes=60
> cas.authn.samlIdp.metadata.location=file:/etc/cas/saml
> cas.authn.samlIdp.metadata.requireValidMetadata=true
> cas.authn.samlIdp.response.signError=false
> cas.authn.samlIdp.response.useAttributeFriendlyName=true
> #cas.authn.samlIdp.metadata.failFast=true
> #cas.authn.samlIdp.metadata.privateKeyAlgName=RSA
> #cas.authn.samlIdp.response.skewAllowance=0
>
> cas.shibAttributeResolver.resources=file:/etc/cas/saml/attribute-resolver.xml
attribute-resolver.xml
>
> xmlns="urn:mace:shibboleth:2.0:resolver"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
> xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver
> http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd;>
>
>
>
> sourceAttributeID="firstname">
>
> name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="FirstName"
> encodeType="false"
>
[cas-user] Re: pac4j Google2Client auth delegation: How to unauthorize a profile?
Hi Francis,
*Modify the webflow by adding a new
> TransitionExecutingFlowExecutionExceptionHandler or adding a
> new TransitionSet catching the error into *clientAction*.*
That's exactly what I have done right now and it's working. Thanks for your
answer!
El jueves, 25 de enero de 2018, 10:57:30 (UTC+1), Francis escribió:
>
> The error 'map[[empty]]'] comes from the fact that the webflow from pac4j
> doesn't catch correctly the error sent by '
> *AbstractPac4jAuthenticationHandler'. *
>
> *From my point of view the solution would be to modify the webflow in
> order to "accept" your exception and to redirect to a new action you have
> defined.*
>
> *2 solutions, you can override
> **org.apereo.cas.web.flow.Pac4jWebflowConfigurer
> (faster) or extend the webflow via a new own configuration (nicer).*
> *Modify the webflow by adding a new
> TransitionExecutingFlowExecutionExceptionHandler or adding a
> new TransitionSet catching the error into *clientAction*.*
>
> *See some example
> from org.apereo.cas.web.flow.configurer.DefaultWebflowConfigurer*
>
> *See as well https://github.com/apereo/cas/pull/3138
> <https://github.com/apereo/cas/pull/3138> that shows how the webflow can be
> modify in the case of pac4j*
>
> On Tuesday, January 23, 2018 at 4:10:34 PM UTC+1, Oscar del Pozo wrote:
>>
>> Hi!
>>
>> I'm migrating from CAS 4.0.5 to 5.2.1 and everything has gone perfect but
>> I'm facing a problem with the Google OAuth authentication.
>>
>> I have configured a delegate authentication to Google with pac4j
>> successfully but I need to make a modification, only allow the emails which
>> end with *@companyname.com <http://companyname.com> *(I do agree that
>> this kind of things should not be done at CAS because this is about
>> authorization and not authentication, but I have to)
>>
>> I have added a new AuthorizationGenerator to the Google2Client instance
>> so, after the retrieve the user profile with the *Google2ProfileDefinition
>> *class, I make my validation and in case that the user email is not a
>> valid one, I set the profile identifier no blank. The blank
>> identifier causes a *FailedLoginException *at
>> *AbstractPac4jAuthenticationHandler.*
>>
>> Everything seems to work fine but finally, I get the following exception
>> and the CAS error page is shown.
>>
>>
>> 2018-01-23 15:58:48,581 DEBUG
>>> [org.pac4j.oauth.profile.creator.OAuth20ProfileCreator] - >> access_token: ya29.Glx... to profile>
>>> 2018-01-23 15:58:48,581 DEBUG
>>> [org.pac4j.oauth.profile.google2.Google2Profile] - key:
>>> access_token / value:XXX-XXX / class java.lang.String>
>>> 2018-01-23 15:58:48,581 DEBUG [org.pac4j.oauth.client.Google2Client] -
>>> >> {name.familyName=del Pozo,
>>> emails=[org.pac4j.oauth.profile.google2.Google2Email@64f6a901],
>>> access_token=..., gender=MALE, displayName=Oscar del Pozo,
>>> name.givenName=Oscar, ... |>
>>> 2018-01-23 15:58:49,599 WARN
>>> [org.apereo.cas.support.pac4j.oauth.MyProfileAuthorizationGenerator]
>>> -
>>> 2018-01-23 15:58:49,599 DEBUG
>>> [org.pac4j.oauth.profile.google2.Google2Profile]
>>> -
>>> 2018-01-23 15:58:51,789 ERROR
>>> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
>>> >> authentication handler that supports
>>> [org.apereo.cas.authentication.principal.ClientCredential@2f8fc6b0[id=]]
>>>
>>> of type [ClientCredential].>
>>> 2018-01-23 15:58:53,216 INFO
>>> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - >> trail record BEGIN
>>> =
>>> WHO: null
>>> WHAT: Supplied credentials:
>>> [org.apereo.cas.authentication.principal.ClientCredential@2f8fc6b0[id=]]
>>> ACTION: AUTHENTICATION_SUCCESS (This is a reported bug, the
>>> authentication has actually failed:
>>> https://github.com/apereo/inspektr/pull/10)
>>> APPLICATION: CAS
>>> WHEN: Tue Jan 23 15:58:53 CET 2018
>>> CLIENT IP ADDRESS: 192.168.56.1
>>> SERVER IP ADDRESS: 192.168.56.1
>>> =
>>> >
>>> 2018-01-23 15:58:53,247 ERROR
>>> [org.springframework.boot.web.support.ErrorPageFilter] - >> error page from request [/login] due to exception [Exception thrown
>>> executing
>>> org.apereo.cas.support.pac4j.web.flow.DelegatedClientAut
[cas-user] Re: customize LdapAuthenticationHandler in 5.2.0
Hi!
You have a NullPointerException creating your new Bean
org.springframework.beans.factory.BeanCreationException: Error creating bean
with name 'PostLdapAuthenticationHandler': Invocation of init method failed;
nested exception is java.lang.NullPointerException
Caused by: java.lang.NullPointerException
at
org.apereo.cas.authentication.LdapAuthenticationHandler.initialize(LdapAuthenticationHandler.java:318)
~[cas-server-support-ldap-5.2.1.jar:5.2.1]
That LdapAuthenticationHandler line throws an exception when the authenticator
property is null. That property is setted in your constructor with super("",
servicesManager, principalFactory, order,authenticator,strategy);
So, what seems to be wrong is that your constructor is receiving a null
authenticator. This authenticator is created with the method
ldapAuthenticationHandlers at LdapAuthenticationConfiguration, try to check it
out.
El jueves, 25 de enero de 2018, 0:29:39 (UTC+1), satnam escribió:
>
> Hello,
>
> we are trying to upgrade CAS from 4.2.x to 5.2 and we have customized
> LdapAuthenticationHandler in older version and trying to upgrade it to
> newer version. In 5.2.x we get following an error (see attached ca.log for
> detail)..
>
>
>
>
> how can we resolve this error?
>
>
> ==
> public class PostLdapAuthenticationHandler extends
> LdapAuthenticationHandler {
> private static final Logger LOGGER =
> LoggerFactory.getLogger(PostLdapAuthenticationHandler.class);
>
>public PostLdapAuthenticationHandler(final String name, final
> ServicesManager servicesManager, final PrincipalFactory principalFactory,
> final Integer order, final
> Authenticator authenticator, final LdapPasswordPolicyHandlingStrategy
> strategy,DataSource dataSource) {
> super("", servicesManager, principalFactory,
> order,authenticator,strategy);
>
>
> this.LOGGER.debug("***PostLDAPAuthenticationHandler
> ");
>
>
> this.LOGGER.debug("***PPostLdapAuthenticationHandler
> end ");
>
>
> }
>
>
> @Override
> public final boolean preAuthenticate(final Credential credential) {
> LOGGER.debug("preAuthenticate***");
> final UsernamePasswordCredential usernamePasswordCredentials =
> (UsernamePasswordCredential) credential;
> final String userName = usernamePasswordCredentials.getUsername();
> final int charPos = userName.lastIndexOf('@');
> final boolean ret = (charPos == -1 ||
> userName.substring(charPos).equalsIgnoreCase("@post.ca.gov"));
> if (this.LOGGER.isDebugEnabled())
>
> this.LOGGER.debug("PostLdapAuthenticationHandler.preAuthenticating " +
> userName + " " + (ret ? "succeeded" : "failed"));
>
>
> return ret;
> }
>
> @Override
> public final HandlerResult postAuthenticate(final Credential
> credential, final HandlerResult result) {
> LOGGER.debug("postAuthenticate***");
> ** OUR CUSTOMIZATION ***
> final PrincipalFactory f = new DefaultPrincipalFactory();
> return createHandlerResult(credential, f.createPrincipal
> (Integer.toString(userId), attrs), result.getWarnings());
> }
> }
>
>
> @Configuration("PostLdapAuthenticationHandlerConfiguration")
> @EnableConfigurationProperties(CasConfigurationProperties.class)
> public class PostLdapAuthenticationHandlerConfiguration
> implements AuthenticationEventExecutionPlanConfigurer {
> private static final Logger logger =
> LoggerFactory.getLogger(PostLdapAuthenticationHandlerConfiguration.class);
>
> @Autowired
> private CasConfigurationProperties casProperties;
>
> @Autowired
> @Qualifier("servicesManager")
> private ServicesManager servicesManager;
>
>
> @Bean
> public AuthenticationHandler PostLdapAuthenticationHandler() {
> DataSource dataSource = new DataSource();
>
> final PostLdapAuthenticationHandler handler = new
> PostLdapAuthenticationHandler("GUID",servicesManager,null,1,null,null,dataSource
>
> );
>
>
> /*
> Configure the handler by invoking various setter methods.
> Note that you also have full access to the collection of
> resolved CAS settings.
> Note that each authentication handler may optionally qualify
> for an 'order`
> as well as a unique name.
> */
> return handler;
> }
>
> @Override
> public void configureAuthenticationExecutionPlan(final
> AuthenticationEventExecutionPlan plan) {
> if (true) {
> plan.registerAuthenticationHandler(
> PostLdapAuthenticationHandler());
> }
> }
> }
> ===
>
>
> 2018-01-24 15:15:08,257 INFO
>
[cas-user] CAS 5.2.1 login-webflow and exceptionHandlers
Hi again... Debugging the default CAS login flow when an AuthenticationHandler throws an Exception (i.e. UnauthorizedSsoServiceException) I see that the PolicyBasedAuthenticationManager handles that exception adding it to the failures list and finally throws an AuthenticationException. It seems to be fine. But when that AuthenticationException is handled by the login web flow, the FlowExecutionExceptionHandlerSet has the following exceptions: > class > org.apereo.cas.services.UnauthorizedServiceForPrincipalException=serviceUnauthorizedCheck, > class > org.apereo.cas.services.UnauthorizedServiceException=serviceUnauthorizedCheck, > class > org.apereo.cas.services.UnauthorizedSsoServiceException=viewLoginForm, > class > org.springframework.webflow.execution.repository.NoSuchFlowExecutionException=viewServiceErrorView Even when the thrown exception was one of that set, the login web flow is not able to identify that transition (it receives an AuthenticationException). This is a weird behaviour, isn't it? Is there any easy way to extend the login web flow to add the org.apereo.cas.authentication.AuthenticationException to the exceptionHandlers set? -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/db175d8a-6620-4145-aa38-d0c1c365e778%40apereo.org.
[cas-user] Re: pac4j Google2Client auth delegation: How to unauthorize a profile?
Hi Martin,
Thanks for your response. Sadly, I think that the result of implementing a
custom Authentication Handler would be the same that I have now, a
redirection to CAS error page since with my current implementation I'm
throwing a FailedLoginException that it is exactly the same that you're
doing.
So, I think that my question is not the correct one. I guess what I need is
to modify the login-webflow to define what to do when an authentication
failure happens. I'll follow the
guide https://apereo.github.io/2016/10/07/webflow-extcfg/ to try to do it.
Regards
El miércoles, 24 de enero de 2018, 3:43:27 (UTC+1), Martin Bohun escribió:
>
> Hello Oscar,
>
> This is an example of one possible solution:
> Our cas project (based on cas-4.0.x), uses Delegated Authentication
> (Facebook/Google/Twitter) to perform "one click" SignUp/SignIn.
> We use a custom auth handler that uses the attributes (email, first_name,
> surname) returned by Facebook/Google/Twitter to either:
> a) SignIn user if user with that email exist in the system already, OR
> b) SignUp create the user in our system, and proceed to SignIn
>
> So at that point in the code where we are receiving/processing the email
> address returned by Facebook/Google/Twitter:
>
> https://github.com/AtlasOfLivingAustralia/ala-cas-2.0/blob/master/src/main/java/org/jasig/cas/support/pac4j/authentication/handler/support/ALAClientAuthenticationHandler.java#L121
>
> one could do the type of filtering you want:
> a) hardcode it there
> b) externalize the email validation/check regexp into some
> properties/config file so
> c) fast/phugly/hack do the filtering in your LDAP, SQL query,
> etc.
>
> regards,
>
> martin
>
> On Wednesday, January 24, 2018 at 2:10:34 AM UTC+11, Oscar del Pozo wrote:
>>
>> Hi!
>>
>> I'm migrating from CAS 4.0.5 to 5.2.1 and everything has gone perfect but
>> I'm facing a problem with the Google OAuth authentication.
>>
>> I have configured a delegate authentication to Google with pac4j
>> successfully but I need to make a modification, only allow the emails which
>> end with *@companyname.com <http://companyname.com> *(I do agree that
>> this kind of things should not be done at CAS because this is about
>> authorization and not authentication, but I have to)
>>
>> I have added a new AuthorizationGenerator to the Google2Client instance
>> so, after the retrieve the user profile with the *Google2ProfileDefinition
>> *class, I make my validation and in case that the user email is not a
>> valid one, I set the profile identifier no blank. The blank
>> identifier causes a *FailedLoginException *at
>> *AbstractPac4jAuthenticationHandler.*
>>
>> Everything seems to work fine but finally, I get the following exception
>> and the CAS error page is shown.
>>
>>
>> 2018-01-23 15:58:48,581 DEBUG
>>> [org.pac4j.oauth.profile.creator.OAuth20ProfileCreator] - >> access_token: ya29.Glx... to profile>
>>> 2018-01-23 15:58:48,581 DEBUG
>>> [org.pac4j.oauth.profile.google2.Google2Profile] - key:
>>> access_token / value:XXX-XXX / class java.lang.String>
>>> 2018-01-23 15:58:48,581 DEBUG [org.pac4j.oauth.client.Google2Client] -
>>> >> {name.familyName=del Pozo,
>>> emails=[org.pac4j.oauth.profile.google2.Google2Email@64f6a901],
>>> access_token=..., gender=MALE, displayName=Oscar del Pozo,
>>> name.givenName=Oscar, ... |>
>>> 2018-01-23 15:58:49,599 WARN
>>> [org.apereo.cas.support.pac4j.oauth.MyProfileAuthorizationGenerator]
>>> -
>>> 2018-01-23 15:58:49,599 DEBUG
>>> [org.pac4j.oauth.profile.google2.Google2Profile]
>>> -
>>> 2018-01-23 15:58:51,789 ERROR
>>> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
>>> >> authentication handler that supports
>>> [org.apereo.cas.authentication.principal.ClientCredential@2f8fc6b0[id=]]
>>>
>>> of type [ClientCredential].>
>>> 2018-01-23 15:58:53,216 INFO
>>> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - >> trail record BEGIN
>>> =
>>> WHO: null
>>> WHAT: Supplied credentials:
>>> [org.apereo.cas.authentication.principal.ClientCredential@2f8fc6b0[id=]]
>>> ACTION: AUTHENTICATION_SUCCESS (This is a reported bug, the
>>> authentication has actually failed:
>>> https://github.com/apereo/inspektr/pull/10)
>>> APPLICATION: CAS
>>> WHEN: Tue Jan 23 15:58:53 CET 2018
>>> CLIENT IP ADDRESS: 192
Re: [cas-user] CAS 5.2.1 report failed authentications as AUTHENTICATION_SUCCESS
Hi,
I've made a pull request solving this
issue: https://github.com/apereo/inspektr/pull/10. It has been already
approved.
El viernes, 19 de enero de 2018, 16:47:02 (UTC+1), Ben Howell-Thomas
escribió:
>
> Might have solved it.
>
> To confirm what Mohsen said, seems fine in 5.2.0.
>
> Between 5.2.0 and 5.2.1 the inspektrVersion goes up from 1.7.0 to 1.7.1.GA
> .
>
> Between them, ah - I think I may have found it
> - org.apereo.inspektr.audit.AuditTrailManagementAspect changes line 141
> from :
>
> } catch (final Exception e) {
>
>
> to
>
> } catch (final Throwable e) {
>
>
> I think I remember reading that polymorphism type things are worked out at
> compile time. If it's treating the AuthenticationException as a Throwable
> then that's not an Exception (since Exception is a sub-class of Throwable)
> but it is an Object, hence it calls the org.apereo.inspektr.audit.spi.
> support.DefaultAuditActionResolver.resolveFrom method that uses the
> Object parameter and is therefore considered a success.
>
> This looks like a side effect of this commit to Inspektr:
>
>>
>> Commit: a51eefbc0fe6619bb651b91a99f44bb6d262e744 [a51eefb]
>> Parents: 8a07750485, 0cdde58bcc
>> Author: Misagh Moayyed
>> Date: 06 March 2017 16:17:35
>> Committer: GitHub
>> Merge pull request #8 from vvidovic/cherry-pick
>> Fix: auditing on Erorr (not only Exception)
>
>
> @Misagh/Apereo/everyone - Hope that's been helpful. I'm sorry but I
> haven't got time to submit a patch (partly because upgrading to 5.2 has
> taken so long ;). If it's not something anyone's likely to pick up I could
> maybe look at it next week.
>
> blessings,
>
> Ben
>
> On 19 January 2018 at 14:52, Jeffrey Ramsay > wrote:
>
>> How are you getting these statements in your logs? I can produce them
>> since upgrading to 5.1 and it was used for our Splunk system.
>>
>> > level="info" additivity="false" includeLocation="true">
>>
>>
>>
>>
>> -Jeff
>>
>> On Thu, Jan 11, 2018 at 2:35 AM, Mohsen Ebrahimi > > wrote:
>>
>>> Hello
>>>
>>> It works fine in 5.2. I think it's a bug.
>>>
>>> Thank you
>>>
>>>
>>> 2018-01-11 02:18:15,693 WARN
>>> [org.apereo.cas.authentication.LdapAuthenticationHandler] - >> failed. [DN cannot be null]>
>>> 2018-01-11 02:18:15,694 ERROR
>>> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
>>> >> authentication handler that supports [wronguser] of type
>>> [UsernamePasswordCredential].>
>>> 2018-01-11 02:18:15,697 INFO
>>> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - >> trail record BEGIN
>>> =
>>> WHO: wronguser
>>> WHAT: Supplied credentials: [wronguser]
>>> ACTION: AUTHENTICATION_SUCCESS
>>> APPLICATION: CAS
>>> WHEN: Thu Jan 11 02:18:15 EST 2018
>>>
>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-user+u...@apereo.org .
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/5d686a56463686a943ec76d5ae0fde8f%40of.iut.ac.ir
>>>
>>>
>>> .
>>>
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+u...@apereo.org .
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BTBYOTrvbTAyo%3DGWR9vt6%2B4ZGWiUiC4x_M4FW06Mr60y6%2BNpw%40mail.gmail.com
>>
>>
>> .
>>
>
>
> This email is sent on behalf of Northgate Public Services (UK) Limited and
> its associated companies including Rave Technologies (India) Pvt Limited
> (together "Northgate Public Services") and is strictly confidential and
> intended solely for the addressee(s).
> If you are not the intended recipient of this email you must: (i) not
> disclose, copy or distribute its contents to any other person nor use its
> contents in any way or you may be acting unlawfully; (ii) contact
> Northgate Public Services immediately on
[cas-user] pac4j Google2Client auth delegation: How to unauthorize a profile?
Hi!
I'm migrating from CAS 4.0.5 to 5.2.1 and everything has gone perfect but
I'm facing a problem with the Google OAuth authentication.
I have configured a delegate authentication to Google with pac4j
successfully but I need to make a modification, only allow the emails which
end with *@companyname.com *(I do agree that this kind of things should not
be done at CAS because this is about authorization and not authentication,
but I have to)
I have added a new AuthorizationGenerator to the Google2Client instance so,
after the retrieve the user profile with the *Google2ProfileDefinition *class,
I make my validation and in case that the user email is not a valid one, I
set the profile identifier no blank. The blank identifier causes a
*FailedLoginException
*at *AbstractPac4jAuthenticationHandler.*
Everything seems to work fine but finally, I get the following exception
and the CAS error page is shown.
2018-01-23 15:58:48,581 DEBUG
> [org.pac4j.oauth.profile.creator.OAuth20ProfileCreator] - access_token: ya29.Glx... to profile>
> 2018-01-23 15:58:48,581 DEBUG
> [org.pac4j.oauth.profile.google2.Google2Profile] - key:
> access_token / value:XXX-XXX / class java.lang.String>
> 2018-01-23 15:58:48,581 DEBUG [org.pac4j.oauth.client.Google2Client] -
> {name.familyName=del Pozo,
> emails=[org.pac4j.oauth.profile.google2.Google2Email@64f6a901],
> access_token=..., gender=MALE, displayName=Oscar del Pozo,
> name.givenName=Oscar, ... |>
> 2018-01-23 15:58:49,599 WARN
> [org.apereo.cas.support.pac4j.oauth.MyProfileAuthorizationGenerator]
> -
> 2018-01-23 15:58:49,599 DEBUG
> [org.pac4j.oauth.profile.google2.Google2Profile]
> -
> 2018-01-23 15:58:51,789 ERROR
> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
> authentication handler that supports
> [org.apereo.cas.authentication.principal.ClientCredential@2f8fc6b0[id=]]
>
> of type [ClientCredential].>
> 2018-01-23 15:58:53,216 INFO
> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - trail record BEGIN
> =
> WHO: null
> WHAT: Supplied credentials:
> [org.apereo.cas.authentication.principal.ClientCredential@2f8fc6b0[id=]]
> ACTION: AUTHENTICATION_SUCCESS (This is a reported bug, the
> authentication has actually failed:
> https://github.com/apereo/inspektr/pull/10)
> APPLICATION: CAS
> WHEN: Tue Jan 23 15:58:53 CET 2018
> CLIENT IP ADDRESS: 192.168.56.1
> SERVER IP ADDRESS: 192.168.56.1
> =
> >
> 2018-01-23 15:58:53,247 ERROR
> [org.springframework.boot.web.support.ErrorPageFilter] - error page from request [/login] due to exception [Exception thrown
> executing
> org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationAction@848f27e
>
> in state 'clientAction' of flow 'login' -- action execution attributes were
> 'map[[empty]]']>
at
> org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:60)
>
> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
> at
> org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77)
>
> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
> at
> org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)
>
> ~[spring-webflow-2.4.6.RELEASE.jar:2.4.6.RELEASE]
> [...]
> Caused by: org.apereo.cas.authentication.AuthenticationException: 1
> errors, 0 successes
> at
> org.apereo.cas.authentication.PolicyBasedAuthenticationManager.evaluateFinalAuthentication(PolicyBasedAuthenticationManager.java:400)
>
> ~[cas-server-core-authentication-5.2.1.jar:5.2.1]
> at
> org.apereo.cas.authentication.PolicyBasedAuthenticationManager.authenticateInternal(PolicyBasedAuthenticationManager.java:380)
>
> ~[cas-server-core-authentication-5.2.1.jar:5.2.1]
> at
> org.apereo.cas.authentication.PolicyBasedAuthenticationManager.authenticate(PolicyBasedAuthenticationManager.java:220)
>
> ~[cas-server-core-authentication-5.2.1.jar:5.2.1]
Is my approach correct?. Is it possible to do not show this CAS error and
go to the 403 view?
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b4a8894e-1672-4c52-84e4-707f517454af%40apereo.org.
Re: [cas-user] Inspektr audit says AUTHENTICATION_SUCCESS on authentication failures
Thanks!
El martes, 23 de enero de 2018, 12:50:29 (UTC+1), Dmitriy Kopylenko
escribió:
>
> https://github.com/apereo/inspektr
>
> D.
>
>
>
>
> On Tue, Jan 23, 2018 at 5:38 AM -0500, "Oscar del Pozo" <
> oscard...@gmail.com > wrote:
>
> There is a bug in the module inspektr-audit-1.7.1.GA when an Exception is
>> thrown on an authentication process that ends logging the authentication as
>> successfully:
>>
>> Logs:
>>
>> 2018-01-23 11:18:18,583 ERROR
>>> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
>>> >> has failed. Credentials may be incorrect or CAS cannot find
>>> authentication handler that supports
>>> [org.apereo.cas.authentication.principal.ClientCredential@77d80cf8[id=]]
>>>
>>> of type [ClientCredential].>
>>> 2018-01-23 11:18:57,038 INFO
>>> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - >> trail record BEGIN
>>> =
>>> WHO: null
>>> WHAT: Supplied credentials:
>>> [org.apereo.cas.authentication.principal.ClientCredential@77d80cf8[id=]]
>>> ACTION: AUTHENTICATION_SUCCESS
>>> APPLICATION: CAS
>>> WHEN: Tue Jan 23 11:18:57 CET 2018
>>> CLIENT IP ADDRESS: 192.168.56.1
>>> SERVER IP ADDRESS: 192.168.56.1
>>> =
>>
>>
>> The bug is located at
>> *org.apereo.inspektr.audit.AuditTrailManagementAspect@handleAuditTrail(final
>> ProceedingJoinPoint joinPoint, final Audit audit) throws Throwable*:
>>
>> @Around(value = "@annotation(audit)", argNames = "audit")
>> public Object handleAuditTrail(final ProceedingJoinPoint joinPoint,
>> final Audit audit) throws Throwable {
>> final AuditActionResolver auditActionResolver =
>> this.auditActionResolvers.get(audit.actionResolverName());
>> final AuditResourceResolver auditResourceResolver =
>> this.auditResourceResolvers.get(audit.resourceResolverName());
>>
>> String currentPrincipal = null;
>> String[] auditResource = new String[]{null};
>> String action = null;
>> Object retVal = null;
>> try {
>> retVal = joinPoint.proceed();
>>
>> currentPrincipal =
>> this.auditPrincipalResolver.resolveFrom(joinPoint, retVal);
>> auditResource = auditResourceResolver.resolveFrom(joinPoint,
>> retVal);
>> action = auditActionResolver.resolveFrom(joinPoint, retVal,
>> audit);
>>
>> return retVal;
>> } catch (final Throwable e) {
>> currentPrincipal =
>> this.auditPrincipalResolver.resolveFrom(joinPoint, e);
>> auditResource = auditResourceResolver.resolveFrom(joinPoint,
>> e);
>> action = auditActionResolver.resolveFrom(joinPoint, e,
>> audit);
>> throw e;
>> } finally {
>> executeAuditCode(currentPrincipal, auditResource, joinPoint,
>> retVal, action, audit);
>> }
>> }
>>
>> The problem here is that the auditActionResolver has two methods:
>>
>> String resolveFrom(JoinPoint auditableTarget, Object retval, Audit audit);
>>
>> String resolveFrom(JoinPoint auditableTarget, Exception exception, Audit
>> audit);
>>
>> When we try to invoke the second one, we have to cast the exception e to
>> do not enter in the first method, where the success suffix will be applied
>> to the audit log.
>>
>> To fix this, the catch block should be
>>
>> } catch (final Throwable e) {
>> currentPrincipal =
>> this.auditPrincipalResolver.resolveFrom(joinPoint, e);
>> auditResource = auditResourceResolver.resolveFrom(joinPoint,
>> e);
>> action = auditActionResolver.resolveFrom(joinPoint,
>> (Exception) e, audit);
>> throw e;
>> }
>>
>> I would make a pull-request, but I haven't found the source code at
>> github.
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>
[cas-user] Inspektr audit says AUTHENTICATION_SUCCESS on authentication failures
There is a bug in the module inspektr-audit-1.7.1.GA when an Exception is
thrown on an authentication process that ends logging the authentication as
successfully:
Logs:
2018-01-23 11:18:18,583 ERROR
> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] -
> has failed. Credentials may be incorrect or CAS cannot find
> authentication handler that supports
> [org.apereo.cas.authentication.principal.ClientCredential@77d80cf8[id=]]
>
> of type [ClientCredential].>
> 2018-01-23 11:18:57,038 INFO
> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - trail record BEGIN
> =
> WHO: null
> WHAT: Supplied credentials:
> [org.apereo.cas.authentication.principal.ClientCredential@77d80cf8[id=]]
> ACTION: AUTHENTICATION_SUCCESS
> APPLICATION: CAS
> WHEN: Tue Jan 23 11:18:57 CET 2018
> CLIENT IP ADDRESS: 192.168.56.1
> SERVER IP ADDRESS: 192.168.56.1
> =
The bug is located at
*org.apereo.inspektr.audit.AuditTrailManagementAspect@handleAuditTrail(final
ProceedingJoinPoint joinPoint, final Audit audit) throws Throwable*:
@Around(value = "@annotation(audit)", argNames = "audit")
public Object handleAuditTrail(final ProceedingJoinPoint joinPoint,
final Audit audit) throws Throwable {
final AuditActionResolver auditActionResolver =
this.auditActionResolvers.get(audit.actionResolverName());
final AuditResourceResolver auditResourceResolver =
this.auditResourceResolvers.get(audit.resourceResolverName());
String currentPrincipal = null;
String[] auditResource = new String[]{null};
String action = null;
Object retVal = null;
try {
retVal = joinPoint.proceed();
currentPrincipal =
this.auditPrincipalResolver.resolveFrom(joinPoint, retVal);
auditResource = auditResourceResolver.resolveFrom(joinPoint,
retVal);
action = auditActionResolver.resolveFrom(joinPoint, retVal,
audit);
return retVal;
} catch (final Throwable e) {
currentPrincipal =
this.auditPrincipalResolver.resolveFrom(joinPoint, e);
auditResource = auditResourceResolver.resolveFrom(joinPoint, e);
action = auditActionResolver.resolveFrom(joinPoint, e, audit);
throw e;
} finally {
executeAuditCode(currentPrincipal, auditResource, joinPoint,
retVal, action, audit);
}
}
The problem here is that the auditActionResolver has two methods:
String resolveFrom(JoinPoint auditableTarget, Object retval, Audit audit);
String resolveFrom(JoinPoint auditableTarget, Exception exception, Audit
audit);
When we try to invoke the second one, we have to cast the exception e to do
not enter in the first method, where the success suffix will be applied to
the audit log.
To fix this, the catch block should be
} catch (final Throwable e) {
currentPrincipal =
this.auditPrincipalResolver.resolveFrom(joinPoint, e);
auditResource = auditResourceResolver.resolveFrom(joinPoint, e);
action = auditActionResolver.resolveFrom(joinPoint, (Exception)
e, audit);
throw e;
}
I would make a pull-request, but I haven't found the source code at github.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/019cf236-26be-4c3d-97e6-0bb731b8217e%40apereo.org.
